search

code-423n4 / 2023-06-reserve-findings

1 stars 0 forks source link

StRSR.cancelUnstake doesn't call _payoutRewards before minting new shares #39

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/reserve-protocol/protocol/blob/c4ec2473bbcb4831d62af55d275368e73e16b984/contracts/p1/StRSR.sol#L341-L380

Vulnerability details

Impact

StRSR.cancelUnstake doesn't call _payoutRewards before minting new shares. As result this rewards will be distributed for new staker as well.

Proof of Concept

If user wants to cancel his withdraw, then he can call StRSR.cancelUnstake and mint new shares from the RSR amount he wanted to withdraw. This minting will use current stakeRate to find out stRSR amount to mint.

The problem is that _payoutRewards function is not called before minting. It should be because, this function increases stakeRSR param with rewards, which then changes stakeRate.

As result user that decided to cancel withdraw will receive part of rewards which he should not receive.

Tools Used

VsCode

Recommended Mitigation Steps

Call _payoutRewards, before minting new stRSR to user.

Assessed type

Error

tbrent commented 1 year ago

Dup with #10

c4-sponsor commented 1 year ago

tbrent marked the issue as sponsor confirmed

c4-judge commented 1 year ago

0xean marked the issue as duplicate of #10

c4-judge commented 1 year ago

0xean marked the issue as satisfactory